Building High Availability and High Bandwidth NAT Gateways

Building High Availability and High Bandwidth NAT Gateways

Hours Minutes 7 Credits


Google Cloud Self-Paced Labs

This lab will show you how to set up multiple NAT (Network Address Translation) gateways with Equal Cost Multi-Path (ECMP) routing and autohealing enabled for a more resilient and high-bandwidth deployment.

Google Cloud Platform (GCP) uses RFC 1918 private IP addresses for virtual machines (VMs). If these VMs need access to resources on the public internet, Network Address Translation (NAT) is required. A single NAT gateway architecture is sufficient for simple scenarios. However, higher throughput or higher availability requires a more resilient architecture.


  • Reserve three public IPs for use by the NAT gateways.

  • Create Compute Engine instances and associate reserved IPs with them.

  • Create health checks and instance groups to enable automatic failure recovery.

  • Create routing rules to distribute traffic from guest VMs to NAT gateways.

  • Tag instances for no-IP.

  • Review a sample Debian config.

Gateway Configuration

In instances where multiple routes have the same priority, GCP uses ECMP routing to distribute traffic. For this lab you'll create several NAT gateways to receive parts of the traffic through ECMP. The NAT gateways then forward the traffic to external hosts with their public IP addresses.

The following diagram shows this configuration:


For higher resiliency, you place each gateway in a separate managed instance group with a single instance and attach a simple health check to ensure they'll automatically restart if they fail. The gateways are in separate instance groups so they'll have a static external IP attached to the instance template. In this lab you'll provision three n1-standard-2 NAT gateways, but you can use any number or size of gateway. For example, n1-standard-2 instances are capped at 4 Gbps of network traffic; if you need more, you might choose n1-standard-8s.

Setup and Requirements

Qwiklabs setup

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access the Google Cloud Platform for the duration of the lab.

What you need

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
  • Time to complete the lab.

Note: If you already have your own personal GCP account or project, do not use it for this lab.

How to start your lab and sign in to the Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

    Open Google Console

  2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Choose an account page.

    Tip: Open the tabs in separate windows, side-by-side.

  3. On the Choose an account page, click Use Another Account.

    Choose an account

  4. The Sign in page opens. Paste the username that you copied from the Connection Details panel. Then copy and paste the password.

    Important: You must use the credentials from the Connection Details panel. Do not use your Qwiklabs credentials. If you have your own GCP account, do not use it for this lab (avoids incurring charges).

  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the GCP console opens in this tab.

The Google Cloud Shell

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Google Cloud Shell provides command-line access to your GCP resources.

  1. In GCP console, on the top right toolbar, click the Open Cloud Shell button.

    Cloud Shell icon

  2. Click Continue. cloudshell_continue.png

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

Cloud Shell Terminal

gcloud is the command-line tool for Google Cloud Platform. It comes pre-installed on Cloud Shell and supports tab-completion.

You can list the active account name with this command:

gcloud auth list


Credentialed accounts:
 - <myaccount>@<mydomain>.com (active)

Example output:

Credentialed accounts:

You can list the project ID with this command:

gcloud config list project


project = <project_ID>

Example output:

project = qwiklabs-gcp-44776a13dea667a6

Join Qwiklabs to read the rest of this lab...and more!

  • Get temporary access to the Google Cloud Console.
  • Over 200 labs from beginner to advanced levels.
  • Bite-sized so you can learn at your own pace.
Join to Start This Lab


Create the VPC Network with subnet

Réaliser l'étape

/ 20

Create a Bastion Host and Isolated Test VM

Réaliser l'étape

/ 20

Allow SSH and enable all internal traffic within the VPC through firewall rules.

Réaliser l'étape

/ 10

Reserve and store three static IP addresses.

Réaliser l'étape

/ 10

Create the NAT Instance Templates

Réaliser l'étape

/ 10

Create the health check with necessary firewall rule.

Réaliser l'étape

/ 10

Create an instance group for each NAT gateway

Réaliser l'étape

/ 10

Add default routes to your instances

Réaliser l'étape

/ 10